Passwords or pass keys are widely used to control authorised access to electronic media such as computer programs or Internet websites, for example Internet banking websites. Often, when a user wishes to gain authorised access to a program/website, the user must enter a login identifier (username) and a secret password. These are then checked against entries in a secure database by the program/website and access is only allowed if the login identifier and password correctly correlate with a database entry. The use of such a login identifier and password to control authorised access is known as one-factor authentication.
Password protected resources on computer networks like the Internet range from the simplest services, for example, managing your e-mail list subscriptions, to services requiring high-grade encryption and protection such as trading portfolios and banking services. With the evolution of technology and the proliferation of unscrupulous operators, particularly in the online arena, the protection of these sensitive resources with only a username and password has become insufficient and, in fact, more and more uncommon. The major disadvantage of a simple password is that knowledge of that single vital piece of information can give anyone, anywhere, at any time, unauthorized access to the sensitive data it is meant to protect.
One-factor authentication therefore provides relatively weak protection as it relies on the user keeping his or her login identification and password secret. In addition, so-called “key-logging” software has been developed that can be installed on computers as so-called “spyware” to record any key strokes made by a user on a computer keyboard. Such spyware, which is often secretly installed by criminals on computers in public places such as in Internet Cafes, allows a third party to secretly record a user's login identifier and password and use them at a later stage to gain unauthorised access to the user's secure information. This is thus a relatively easy method of circumventing one-factor authentication.
To the applicant's knowledge, recent attempts at improving security have utilized users' mobile telephones because a one-to-one relationship is assumed to exist between a user and his or her mobile phone. For this technology to be used, it is assumed that the phone is always in the user's possession. Short Messages Service (SMS) messages are currently the preferred delivery mechanism for security messages and generally take the form of a text message sent by the service provider (for example a banking institution) to the user's mobile phone. The message normally includes a single, unique one-time-pin (OTP) which the user then has to manually enter into the secure environment it wishes to access or prior to conducting a secure transaction, in conjunction with his or her normal login details. While this technology adds an extra layer of security, it is still susceptible to abuse through techniques such as SIM-card cloning. It also still requires the user to enter an 8-digit code from the cell phone onto the website or otherwise of the secure transaction it wishes to perform. Another disadvantage of this technology is the relatively high cost involved for the institution hosting the secure transaction, as it has to send an SMS message through a GSM network provider each time a user needs to be authenticated. Authentication may take place a number of times during any particular session and each such message will normally be billed for individually by the GSM network provider.
Other completely offline solutions also exist in which a pass key is randomly generated by a mobile digital device each time the user wishes to perform a secure transaction. The pass key is generally a meaningless hash number generated according to some predefined algorithm or private key that is stored on the device and which the secure environment is able to recognise as having originated from an authorized device. This solution involves an initial hardware cost for the issuing institution (in most cases banks) and the user is forced to carry an extra piece of hardware with him or her. In addition, this technology still requires the user to enter a, sometimes lengthy and complicated, pass key before being allowed to conduct the secure transaction. As mistakes in transcribing the pass key from the mobile digital device will result in the transaction being rejected, this normally adds a significant time delay to the transaction as the user is forced to transcribe the pass key with great care. This solution is, however, also subject to various security threats. The fact that it is completely offline makes it vulnerable to abuse without the user's knowledge. Also if the key (OTP) generating device is stolen, the thief will be in possession of a device that generates legitimate OTPs and all the thief needs is a legitimate username and password, which can easily be obtained by spyware or other means.
Existing user authentication systems known to the applicant therefore make use of either one factor authentication (user name and password) or offline two-factor authentication (as described in the two previous paragraphs) to protect sensitive information. Two-factor authentication (T-FA) generally refers to a system wherein two different elements, or factors, are used to authenticate the identity of a person or information. The two factors normally include something the person to be authenticated has in his possession (for example the pass key generating hardware device or mobile phone in the examples above), and something he or she knows (for example a username and password). Using two factors as opposed to one delivers a higher level of authentication integrity. Any type of authentication in which more than one factor is used is generally referred to as strong authentication.
In the remainder of this specification the term “secure transaction” will be widely construed and may include any instance where user authentication is required before conducting a secure operation or before access is granted to a secure environment. Likewise, a “host of a secure transaction” or “client” should be widely construed to include any institution that offers secure services and that may require the authentication of its users in order to provide the services.